“[Luis] I was going downstairs. […] This would be like, I don’t know, Nine in the morning or so. And then I met with two guys that are going upstairs.”
It’s 2009, and Luis Corrons – a researcher working for Panda, a Spanish cybersecurity company – is at a high point in his career. Just a few weeks earlier, he took to the stage at a joint press conference with the Spanish police, and revealed to the public a successful operation that put an end to a huge Botnet known as “Mariposa”, and placed its operators behind bars. Following the triumphant presentation, Luis became somewhat of a public figure in Spain – so he wasn’t that surprised when the two young men who were walking up the stairs in his office building recognized him.
“[Luis] And then they said, ‘Hey, wait a moment! Are you Luis Corrons? I said yes, I am – and then they introduced themselves, and they told me their names. No clue. I didn’t recognize those names, first time I heard these names. First time I saw those faces. I didn’t know anything, right? And then I said – ‘Okay, nice meeting you.’ And then they said – ‘Oh, wait – I am Netkairo, and this is Ostiator.”
NetKairo and Ostiator: the two Botnet operators he just recently helped the Spanish police arrest. Except they weren’t behind bars: they were in the stairwell of his office building, standing right next to him. Alone.
“[Luis] Probably my face went white at that moment. I was like – oh my God, I’m dead.”
Cybersecurity has a “Smart Cow” problem. No, I’m not talking about AI-equipped bovine uber-hackers (although, to be honest, with AI improving as rapidly as it does, I wouldn’t rule out such a possibility in the future): it’s a term derived from the expression – “It only takes one smart cow to open the latch of the gate, and then all the other cows follow.” Applied to cybersecurity, it means that it only takes a handful of sophisticated and knowledgeable individuals that can discover vulnerabilities, create the tools to exploit them and then disseminate these tools to low-skilled Script Kiddies, to give law enforcement organizations all around the world a real headache.
The ‘smart cow’ of our story is Matjaz Skorjanc: a Slovenian programmer who in 2007 launched Darkode, a forum and black marketplace that quickly became, in the words of the U.S. Justice Department – “the most sophisticated English-speaking forum for criminal computer hackers in the world.” It was Matjaz’s actions that started the chain of events that led to Luis Corrons’ fateful meeting in his office’s stairwell some two years later.
In September 2008, Matjaz started advertising on Darkode a new creation of his: an extremely sophisticated software he named ‘Butterfly Bot’, or BFBOT for short. As often happens, the 21 years-old Slovenian advertised his software as a legitimate product that allowed IT admins to “fully stress [the] performance and stability of [their] network applications” – but everyone in Darkode knew BFBOT’s real purpose: to create and control an army of Bots – zombified computers used for all sorts of cyber crimes, from launching DDoS attacks to sending email spam. In no time, BFBOT became a bestseller: Matjaz – using the handle Iserdo – sold copies of the malware to dozens of Darkode’s members, for prices ranging from $500 to $2000.
One of his clients was a Spanish hacker named Netkairo, who led a cybercrime gang called “Días de Pesadilla” – Nightmare Days. Matjaz and Netkairo worked closely together on customizing BFBOT according to Netkairo’s needs.
Apparently they did a great job, because when the Nightmare Days group launched their botnet in December of 2008, it quickly became a huge success. Propagating via MSN messenger, USB Disk-On-Key devices and contaminated downloads in Peer-to-Peer networks, ‘Mariposa’ – Spanish for ‘Butterfly’ – infected roughly half of Fortune 100 companies and at least 40 major banks. BFBOT’s modular design allowed Netkairo and his cronies to utilize their malware for a variety of goals: stealing banking credentials and credit card information, install malicious toolbars on users’ browsers and execute DDoS extortion attacks.
Chris Davis is a Canadian security consultant who rose to prominence in the early 2000s after he helped authorities to capture a hacker who broke into e-commerce websites and stole credit card information. In 2008 Chris founded ‘Defence Intelligence’, a security company specializing in advanced malware protection. Wishing to make a name for his new company, Chris went hunting for a fresh malware to investigate – and he knew exactly where to find one.
There are several methods for controlling a botnet, a popular one being via a Command and Control server or servers with which the infected PCs communicate to receive instructions and upgrades. However, such a centralized control scheme also poses a risk for the botnet operators: if the C&C server is compromised, the whole bot network goes down with it. To counter this threat, bot operators often utilize Dynamic DNS.
DNS – short for Domain Name System – is the system that associates domain names with particular IP addresses. For example, when you’re entering “malicious.life” in your browser’s address bar and press enter, a request is sent to a DNS server – which replies with the IP address of the server that actually hosts our website, allowing the browser to communicate with it.
If the IP address of a server changes, its admin would need to update the DNS system with the new address. This is usually done manually, but if the IP address changes relatively frequently – in some scenarios, it could even change on a daily basis – updating the address manually can become impractical. This is where Dynamic DNS comes into play: it enables the network to detect IP changes as they happen, and automatically update the DNS information in real time.
As it happens, Botnet operators often need to change the IP addresses of their C&C servers quite frequently in order to avoid detection by law enforcement and nosy security researchers, which makes Dynamic DNS an important part of their botnet’s infrastructure.
While the domain name that the individual bots in a network need to ping for instructions and such,remains constant – for example, scam.bot.net – behind the scenes, the operator can switch the C&C server’s hosting service and change its IP address as often as needed.
Chris Davis, who knew all that, approached a few personal acquaintances of his that owned and operated Dynamic DNS hosting services, and asked them for a list of their most queried domains. His experience told him that more often than not, such heavily queried domains are part of a botnet. To differentiate between legitimate domains and ones that point to a C&C server, Davis examined the frequency with which the domain was queried: bots tend to ping their Command & Control servers in regular intervals, as opposed to natural human activity which tends to be more chaotic and irregular.
In short notice, Davis came upon a domain which fit his criteria: butterfly.bigmoney.biz, which received an unusually high number of queries at regular intervals of 3 minutes. Davis described his next actions in a paper later published by Defence Intelligence.
“Using our contacts at the DynDNS providers, we changed the resolve IP of one of the C&C domains to a sinkhole system we had established. Then, instead of bot-compromised systems actively talking with the botmaster, they would try to talk with us. The difference would be that we would only listen, not give orders. This allowed us to see just who was communicating with this domain, which in turn told us who was a part of the botnet. We expected to see random individual users on perhaps a few dozen home machines. What we discovered was that the botnet was already widespread across hundreds of systems and was growing daily. The machines we saw were not just public users, but major industries including dozens of fortune 100 companies.”
Butterfly.bigmoney.biz turned out to be the domain name for one of Mariposa’s C&C servers, and sinkholing it allowed Defence Intelligence analysts to examine the botnet closely. Although other security vendors already reported about Mariposa, their research showed that the botnet was much larger than anyone had suspected: it consisted of some 12.7 million compromised personal, corporate and government systems, in more than 190 countries, making it one of the largest botnets ever uncovered.
Davis published his company’s findings in a formal press release which, he was certain, Mariposa’s shady operators would find interesting as well.
“For a long time we were unsure of the botmaster’s reaction to our efforts. Had they even read any of the stories? Were they scared of us? Did they care? In late November we got our first nod from the Mariposa controllers as new C&C domains had begun to spring up in our honor. These domains included TLD variants appending the phrase “defintel sucks.” I couldn’t help but feel flattered in a way, knowing we were good enough to be hated.”
The next step would be to take over the botnet and dismantle it – but such an operation would be too big for his fledgling company to tackle. Davis decided to enlist the help of several other vendors and organizations.
“[Luis] Well, the first time, I think, it was just an email I got from some guys from Defence Intelligence, and they were telling me that they had uncovered this botnet recently. And after doing some research they found out that some of the C&C servers seemed to be in Spain. Not all of them, because there were some in the US, for example. So they wanted to collaborate with someone from Spain, and basically Panda – the company I was working for – It was the best known security company in Spain.”
This is Luis Corrons, whom we met in the beginning of the episode.
“[Luis] I’m a security evangelist for Gen, a security company that has a few brands that the audience may know: Norton, Avast, Avira. So pretty much in the Antivirus side of the security world.”
In 2009, Luis was working for Panda Security.
“[Luis] I was like the visible face of the company, as I usually talked about security in security conferences, etc. So they approached me and they told me – ‘we’re investigating this case and we’d like to collaborate with you. And so that’s what we did. […] That’s when the Mariposa Working Group was formed.”
The Mariposa Working Group consisted of Defence Intelligence, Panda Security, the Georgia Tech Information Security Center and Spain’s Guardia Civil – one of the country’s two national police forces.
The stealthy inquiry went on for several months, during which the investigators collected as much information as they could about the botnet, the networks it infected and the domains of its various Command & Control servers. Then, with the reconnaissance phase of the operation over, it was time to move in for the kill.
“[Luis] Working together to locate the servers, take control of them and then sever the connection between the botnet operators and the botnet itself. That was the main goal, and we were working towards that for a few months until we thought we had everything we needed to take down the botnet and sever this control.
And then we said – Okay, when would we do this? And we could have picked any day – but we did it on the 23rd of December, 2009. And that was not by chance.”
December 23rd was two days before Christmas.
“[Luis] Everyone in the western world is preparing for Christmas, right? So we decided to do it on the 23rd at 5pm Spanish time: it was in the morning in the US, so everyone was awake and ready to work, […] in the hope, also, that the bonet operators were more thinking on the holiday and Christmas gifts, then on taking care of the Botnet, so their reaction time was not that good.”
Netkairo Strikes Back
And so, on the 23rd of December, 2009, in a coordinated effort, the Mariposa Working Group took over the domains used by the Botnet’s C&C servers, wresting control over the almost 13 million bots from Nightmare Days group’s hands. Mariposa was dead. In Spain, Canada and the United State, members of the Working Group celebrated over glasses of wine.
But they celebrated too early. Unbeknown to the Working Group’s team members, Netkairo secretly reached out to an employee of the ISP who was assisting the Working group with sinkholing the botnet, and offered them a 500 Euros bribe. The employee took the bribe, and Netkairo could once again access butterfly.bigmoney.biz, thereby regaining control over a part of the botnet – about a million PCs, according to one estimate.
On January 24, 2009 – about a month after the take down – Chris Davis woke up in Canada to reports of a major DDoS attack on Defence Intelligence’s network.
“[Luis] So what he did was, he took the botnet and launched a Denial of Service attack against Defence Intelligence, which affected some server in Canada that was hosting not just the Defence Intelligence resources, but also some governmental resources, etc.. so it caused a bit of a nightmare in Canada for a few hours.”
It took a few more days for the Working Group to identify the renegade C&C server Netkairo was using, and this time they managed to shut it down for good.
Now that the dust had settled, Luis Corrons and his colleagues could examine the log files that detailed the communications between the Nightmare Days group members and Mariposa’s C&C infrastructure. Unexpectedly, they struck gold.
“[Luis] When we decided to do the takedown, he was the one that tried to regain control of it. So he realized that something was going wrong, he could not connect – so he started trying to connect to the different C&C servers and he couldn’t. And one of the times that he did that, he was desperate to gain control, he made a fatal mistake: he forgot to use a VPN and he connected from his home computer – from his home IP address.”
In his panicked attempts to regain control over his precious botnet, Netkairo made a fatal mistake that allowed the Spanish police to trace the connection back to his home.
“[Luis] We didn’t know that at the time, but then a few days later that’s when we found out about this. And then we learned that the guy, he was living like five kilometers from where I was working! So he was really close…what was the chance, right?”
A week or so after the DDoS attack, the police raided Netkairo’s house and arrested him: the 31 years old ring leader’s real name was Florencio Carro Ruiz.
During the raid, the investigators confiscated Ruiz’s computer, which undoubtedly held incriminating evidence against the cybercrime gang. The problem was that Gurdia Civil’s cyber division was so inexperienced in dealing with such investigations at the time, that the police had no idea what to do next. Luis and his colleagues had the know-how to conduct the delicate forensic investigation for them – but under Spanish law, only the police was allowed to conduct such investigations, and any information uncovered by Panda or Defense Intelligence could not be presented as evidence in the case. Luis, then, took a different route.
“[Luis] what they did [is], they cloned the Hard Drive of the computer that they had taken. They took it to our lab, and we did a forensic analysis of it with them. We showed them what they had to do, and then we uncovered all the evidence that were there. I think they spent like a few days in our lab, and then they went back to their place and then they performed the same procedure.
[Ran] You taught them how to actually do a forensic investigation?
[Luis] Yeah, because they hadn’t done it before, so it needed to be done properly.”
Using the information found on the disk, the police was able to arrest Netkairo’s two accomplices: 25 years old Juan José Ríos Bellido, aka Ostiator, and 30 years old Jonathan Pazos Rivera, nicknamed JPR.
The wealth of information gleaned from the seized hard drive produced one more interesting gem: the Mariposa botnet, it turned out, earned its operators somewhere around 3000 Euros per month. This might sound like a lot of money – but if you’ve listened to a few episodes of Malicious Life, you can probably tell that this is an almost ridiculously small amount of money in cyber crime terms. Remember that we’re talking about one of the largest botnets ever created, that allowed its operators access to some of the wealthiest organizations on the planet and the credit card and banking information of untold millions of victims. A competent criminal could make literally millions of dollars with that kind of power…
…which only goes to show how incompetent were Netkairo and his cronies. Their interrogation uncovered an almost comical lack of computer skills: they were basically Script Kiddies who only knew how to press the buttons that Matjaz Škorjanc – the actual ‘smart cow’ of the whole operation – created for them in BFBOT he sold them. None of them knew how to code.
The gang’s lack of skills, it turns out, cost them dearly: they missed plenty of opportunities to make “Real Money” off their fantastically successful botnet. For example, for a few hundred dollars extra, Matjaz offered the gang a module for BFBOT that would allow them to do what’s known as a ‘Cookie Stuffing’ fraud: a hack that modifies the cookies on a victim’s computers so that anytime the victim buys from e-business that has an affiliate program – such as Amazon, for example – Nightmare Days would receive a commission on that sale. This module alone would have probably netted the gang millions of dollars in commissions – but since the gang members likely had no idea what Cookie Stuffing was, they refused Matjaz’s offer. As one law enforcement officer was later quoted in an interview:
“The most likely explanation is that they didn’t even know what it was about. Otherwise, they could have multiplied the profit they were doing.”
The gang’s lack of expertise can also explain Netkairo’s amateurish mistake of connecting to his botnet without a VPN from his own apartment, during the Working Group’s takeover – the mistake that ultimately led to his and his friends capture.
Although the ‘Big Fish’ they caught turned out to be somewhat of a Guppy, this did not prevent the Spanish police from boasting about their achievement.
“[Luis] At some point Law Enforcement contact us, and they told us […] ‘ok, we are going to do a big press conference because this is a big case for us, and we want one of you to be there so.’ that was me: I was there in the press conference with the Guardia Civil, announcing to the world that this big botnet had been taken down and that the people had been arrested.”
For Luis Corrons, that should have been the end of the story.
A Meeting in a Stairwell
“[Luis] And in March, one day in March, I was in the office and I was actually waiting for a journalist: he was coming to interview me. I was in the office and we had a coffee machine, and I didn’t have any coins with me. So I said, I’m going downstairs and going out of the office to get some coins so I can pay the journalist’s coffee when he comes and interviews me.
I was going downstairs. […] This would be like, I don’t know, Nine in the morning or so. And then I met with two guys that are going upstairs.”
As the Spanish police never released any personally identifying information about the criminals they apprehended, Luis had no way of recognizing the two men standing in front of him.
“[Luis] I said Hello, and then I followed my way – and then they said, ‘Hey, wait a moment! Are you Luis Corrons? I said yes, I am – and then they introduced themselves, and they told me their names. No clue. I didn’t recognize those names, first time I heard these names. First time I saw those faces. I didn’t know anything, right? And then I said – ‘Okay, nice meeting you.’ And then they said – ‘Oh, wait – I am Netkairo, and this is Ostiator. Those were the nicknames the guys were using, and I knew the nicknames. Probably my face went white at that moment. I was like – oh my God, I’m dead.”
Luis assumed that Netkairo and Ostiator were in jail – but what he didn’t know was that there weren’t any laws in Spain back then against operating a botnet – and so the two cyber criminals were almost immediately let go, with a puny fine of some 1080 Euros.
Lucky for Luis, Netkario and Ostiator weren’t looking for revenge. In fact, they were looking for the exact opposite.
“[Luis] And then they start talking to me – ‘We just want to talk to you.’ So I said – okay, let’s go to my place, let’s go to the Lab. So We went to the lab and then we went to a meeting room. I took one of my colleagues with me: I didn’t want to be alone in a meeting room with them, to be honest. I couldn’t believe it. I mean, really – I was looking for hidden cameras, to see if someone was pulling a joke on me, because I couldn’t believe that was happening. That they were the real guys.”
“And then they started talking to me, telling me that the situation had gone out of hand, that the botnet wasn’t that big. They weren’t making any money anymore, because they didn’t have the botnet. And that one of them had a job, but he quit the job because he was making enough money with the botnet – and now he didn’t have a job, since the botnet wasn’t there, so he needed money. And I was like okay, so what? And then they said – well, we’re here because we think it will be great for you if you hire us. I was speechless. I didn’t know how to react.”
For the sake of historical accuracy, Netkairo and Ostiator weren’t the first cybercriminals who tried to leverage their ill-gained expertise to score a real job in the cybersecurity industry. In episode 22 of our podcast, for example, we told the story of Axel Gembe: the German hacker who broke into Valve’s network and stole the source code for Half-Life 2, and then applied for a job in the company. And of course, there’s Kevin Mitnick who became a very successful security consultant after his time in jail. One can argue about whether hiring an ex-con is or isn’t a smart move, but at the very least Gembe – and certainly Mitnick – were extremely good at what they did. Netkario and Ostiator, on the other hand?… not so much.
“[Luis] I was like…ahhh…seriously? Take into account that these guys, they didn’t even know how to program, right? They bought the botnet: Mariposa wasn’t developed by them. And I told them that: ‘but you didn’t even know how to program or anything!’
And then they started to tell me- Yeah, but most of the ideas and most of the modules that have been incorporated into the botnet during the development, was because we had some ideas, and then we gave those suggestions and they were implemented.
And I was like, Okay, whatever […] But I didn’t dare to tell them No to their faces, because I was a bit afraid of their reaction, right. So I said – Okay, I don’t have the final word here. I can talk to the management of the company and see what’s the feedback, but you have to take into account that being a criminal and managing a botnet, and stealing money… I mean, that’s not a good presentation card, right? […] And then they looked at me, like – but nobody knows. I said, what do you mean, nobody knows? I mean, people don’t know who we are, right? Yeah, but I do. But, no one else knows, so you can hire us and no one will learn that we are… yeah, but I do know, and I am the one hiring people here, so I have some standards… and, no, I mean, that won’t work for me. But still, as I say, I don’t have the final word so I will take a look into it, and then I will let you know.”
Netkairo and Ostiator left the office.
“[Luis]I I thought I was clear in the sense that I didn’t say no, a final No, but that I didn’t think that was gonna work. So I forgot about that.”
But a few days later, Netkairo reached out to Luis again, this time over the phone.
“[Luis] And then he says, well, you know, I’ve been talking to my other friend and as we haven’t heard back from you, we were wondering when are you going to answer us, to see what kind of a position we could get.
I couldn’t believe it. I asked him to come back to the office. So, he came a few days later and then I told him that there was no way we would ever hire them. Then he became a bit aggressive – verbally, not physically – and he really got annoyed, pissed off, and he started – You are making a big mistake, I know things, I’ve been doing some research on your software from Panda and they have found some security holes in it, and they’re going to expose them if you don’t hire me.”
Amazingly, Netkairo was trying to blackmail Luis and Panda Security to give me a job.
“[Luis] A few days later – I think it was the next day or two days later – a new video in Youtube was published. […] [It showed] a computer and how he was bypassing the antivirus.”
That would have been Panda’s Cloud-base Antivirus.
“[Luis] So, what he did there – so we can understand the skills of this guy – so he took some Trojan and put it in the computer and of course the antivirus was detecting and removing it. So then he disconnects the computer from the internet, so the cloud antivirus wasn’t connecting to the cloud. And then he showed how if you copy the trojan into the computer. And that was it. That was the “security hole”.
[Ran] That was the hack? To disconnect from the internet?
[Luis] That was it. Yeah.
[Ran] The video is still on Youtube, by the way, I found it. Not a lot of views. The audience probably understood that it’s not a very big deal.”
Realizing that his less-than-stellar hacking skills failed to intimidate Panda, NetKairo tried a different method.
“[Luis] so he created a copycat Twitter account of mine. My Twitter account is @louis_corrons, and he created the same one – but instead of an L it as with a 1. And then he started following all the people that were following me in order to get some follows back […] and then whoever had created that account started to publish clips of a gay porn video. It’s kind of childish, you know…”
But Netkario’s harrasment attempt was so obvious, that Luis’s followers immediately realized what was happening, and reported the copycat account to Twitter, which promptly shut it down – even before Luis himself was aware of its existence…empty handed and probably frustrated, Netkairo and his gang slipped into obscurity, and were never heard from again.
A New Begining
For a few years, Matjaz Skorjanc – the Slovenian programmer who ran the Darkode blackmarket – enjoyed a tremendous success with his BFBOT: Chris Davis’ team tracked almost 700 website domains that were being used to control instances of Matjaz’s BFBOT, suggesting that he sold hundreds of copies of his bot kit.
But it seems that selling BFBOT to the Nightmare Days Script Kiddie gang was a mistake that cost him dearly, because the information gained from their investigation allowed the Slovenian police to uncover Matjaz’s true identity, and he was arrested in Slovenia in 2010. He was sentenced to 4 years and 10 months in jail, and all his crime proceeds were seized.
Apparently, Matjaz learned his lesson, and decided to change and ways for the good. He rebranded himself as a Cryptocurrency expert, and became the CTO of a crypto marketplace called NiceHash, which was owned by his father.
But running away from your past isn’t easy – and in Matjaz’ case, impossible. In 2017 NiceHash was hacked, and approximately $52 million dollars worth of Bitcoin were stolen from its coffers. This prompted NiceHash’s clients to probe a bit deeper into the CTO’s murky past – which he unsuccessfully tried to hide – and naturally, all suspicions were directed at him. Matjaz lamented his misfortune in an interview to Slovenian publication:
“I barely picked up, and I’m back on the floor. […] I am not a man who wants to harm anyone. What happened in the ‘previous’ times could be attributed to my naivety. At the age of 22, I was not aware of the consequences that my actions might have.”
It was later discovered that it was probably North Korea who hacked NiceHash – but if Matjaz hoped that this revelation would help him get back to his feet, these hopes were quickly dashed when he was arrested in Germany in 2019: the US, it turned out, issued an international arrest warrant for him and three other members of the Darkode cyber crime forum, including Mariposa’s Netkairo. The trial against them is still ongoing.
It seems that a butterfly can take down a cow…even a smart one.